[AOLSERVER] AOLServer+pound problem

13 views
Skip to first unread message

Alexey Pechnikov

unread,
Apr 29, 2009, 4:32:45 PM4/29/09
to AOLS...@listserv.aol.com
Hello!

I'm now have problem with AOLServer (version 4.5.1) and pound (2.4.3.1). For
500+ active users my pound SSL proxy is not effective (for Core Quad server
Load Average <= 2.0 and system idle is about 0.5 but response time is more
than 1 second! AOL can serve pages fast but pound is "bottle neck"). I need
cookie-based virtual hosts. Is nginx good for me?

P.S. Russian is my own language and can read nginx documentation.

As example my pound configuration:

Service
HeadDeny "X-SSL-.*"
HeadRequire "Host:.*offline.mts.mobigroup.ru.*"
HeadRequire "Cookie: .*session=branch%3Dstable&unit%3D1"
BackEnd
Address 127.0.0.1
Port 8001
End
End

Service
HeadDeny "X-SSL-.*"
HeadRequire "Host:.*offline.mts.mobigroup.ru.*"
HeadRequire "Cookie: .*session=branch%3Dstable&unit%3D3"
BackEnd
Address 127.0.0.1
Port 8003
End
End

...

Service
HeadDeny "X-SSL-.*"
HeadRequire "Host:.*offline.mts.mobigroup.ru.*"
BackEnd
Address 127.0.0.1
Port 8000
End
End


Best regards, Alexey Pechnikov.
http://pechnikov.tel/


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <list...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.

Joseph Kondel

unread,
Apr 29, 2009, 7:29:41 PM4/29/09
to AOLS...@listserv.aol.com
I've not used pound but do use HAProxy and have found it quite
capable. Some say it's a bit more difficult to setup for the average
user ( mostly because it has A LOT of features / options ) but I doubt
it would give anyone on this list a problem.

I bring it up because when researching which LB to use ( pound,
haproxy, nginx, etc... ) I found a couple of sites mentioning how
resource intensive pound seemed to be.

Give it a look if you are unable to solve the pound issue.

HAProxy site : http://haproxy.1wt.eu/

One discussion of HAProxy vs. Pound : http://highscalability.com/product-haproxy-reliable-high-performance-tcp-http-load-balancer

-j

Gustaf Neumann

unread,
Apr 30, 2009, 2:40:17 AM4/30/09
to AOLS...@listserv.aol.com
Dear Alexey,

my recommendation is to try nginx. We have up to 3000 concurrently open
tcp-connetions,
the systems is very reponsive. On the same system we ran into problems
at about 800
connections with pound; then we reduced the stack size, that helped
until 1500
connections, then we switched.

nginx is more work to configure. at least the english documentation is
sometimes
tough to read, but here you have an advantage. nginx is very stable and
fully
featured.

-gustaf neumann

Alexey Pechnikov schrieb:

Alexey Pechnikov

unread,
Apr 30, 2009, 4:56:27 AM4/30/09
to AOLS...@listserv.aol.com
Hello!

On Thursday 30 April 2009 10:40:17 Gustaf Neumann wrote:
> nginx is more work to configure. at least the english documentation is
> sometimes
> tough to read, but here you have an advantage. nginx is very stable and
> fully
> featured.

Do you using nginx+SSL or AOL+SSL? I'm using pound as https proxy for http AOL
sites now.

Gustaf Neumann

unread,
Apr 30, 2009, 8:33:24 AM4/30/09
to AOLS...@listserv.aol.com
We use nginx+SSL and used before pound+SSL.
We have no SSL for the aolserver configured.
-gustaf neumann

Alexey Pechnikov schrieb:

Alexey Pechnikov

unread,
Apr 30, 2009, 5:38:17 PM4/30/09
to AOLS...@listserv.aol.com
Hello!

On Thursday 30 April 2009 03:29:41 Joseph Kondel wrote:
> Give it a look if you are unable to solve the pound issue.
>
> HAProxy site : http://haproxy.1wt.eu/

I did try to use HAProxy but I did find that it's work with cookies incorrect.
HAProxy delete or rewrite server cookies which where defined by client or
server! So it's not possible to have pre-defined cookies for all servers. I'm
now try to patch HAProxy code but this code is not simple for me...

As example:

cookie serverid
server main 127.0.0.1:8000 check
server stable1 127.0.0.1:8001 cookie stable1 check
server stable2 127.0.0.1:8001 cookie stable1 check
...

"serverid" cookie is defined by server "main" and _isn't needed_ to modify this
value by HAProxy. But HAProxy always damage cookies. The directive

appsession serverid len 10 timeout 3h

is not useful too.

Alexey Pechnikov

unread,
May 2, 2009, 10:12:21 AM5/2/09
to AOLS...@listserv.aol.com
Hello!

On Thursday 30 April 2009 03:29:41 Joseph Kondel wrote:

> I've not used pound but do use HAProxy and have found it quite
> capable. Some say it's a bit more difficult to setup for the average
> user ( mostly because it has A LOT of features / options ) but I doubt
> it would give anyone on this list a problem.

Now I did rewrite my Pound configuration to HAProxy and last is more simple and
robust. Big thanks to Willy Tarreau for nice solution and for answers on my
questions! I will use stunnel for HTTPS access and will add to HAProxy config
some redirections to prevent http authorization.

====================
frontend www
balance roundrobin
option forceclose
bind 0.0.0.0:9999
acl offline hdr_sub(host) mydomain.ru
acl stable1 hdr_sub(cookie) serverid=stable1
acl stable3 hdr_sub(cookie) serverid=stable3
use_backend back_stable1 if offline stable1
use_backend back_stable3 if offline stable3
use_backend back_work if offline


backend back_stable1
server stable1 127.0.0.1:8001

backend back_stable3
server stable3 127.0.0.1:8003

backend back_work
server work 127.0.0.1:8000
====================

Joseph Kondel

unread,
May 2, 2009, 11:20:15 AM5/2/09
to AOLS...@listserv.aol.com
Glad you were able to get haproxy working. I have a similar setup
where I use stunnel in front of haproxy to handle all the ssl. If you
need I can paste in some sample config directives.

Also be aware that if you care about logs you should patch stunnel to
supper the x-forwarded-for header. Otherwise your app server logs will
be filled with the proxy ip. In addition you might want to patch
haproxy with the conditional redirect patch for 1.13.5.

I believe both patches can be found on or linked off the haproxy site.

Joseph Kondel


On May 2, 2009, at 10:12, Alexey Pechnikov <pech...@MOBIGROUP.RU>
wrote:

Alexey Pechnikov

unread,
May 2, 2009, 2:44:25 PM5/2/09
to AOLS...@listserv.aol.com
Hello!

On Saturday 02 May 2009 19:20:15 Joseph Kondel wrote:
> Glad you were able to get haproxy working. I have a similar setup
> where I use stunnel in front of haproxy to handle all the ssl. If you
> need I can paste in some sample config directives.

How to you tune HAProxy+Stunnel? I have working HAProxy+Stunnel but don't test
on production. My config is applied.

>
> Also be aware that if you care about logs you should patch stunnel to
> supper the x-forwarded-for header. Otherwise your app server logs will
> be filled with the proxy ip. In addition you might want to patch
> haproxy with the conditional redirect patch for 1.13.5.
>
> I believe both patches can be found on or linked off the haproxy site.

I did fix the stunnel-4.20-xforwarded-for.diff for stunnel version 4.22-2 (for
debian Lenny distribution) and send it back to author. I believe
Willy Tarreau validate and publicate it on HAProxy site soon.


stunnel.conf
==========================
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[https78]
cert = /etc/stunnel/mobigroup.pem
accept = 213.148.6.78:443
connect = 213.148.6.78:80
xforwardedfor = yes

==========================

Reply all
Reply to author
Forward
0 new messages